Staking Ether on Prysm client with our Docker Composer

Document history

15. December 2020Published

Important notes & Disclaimer

This guide is provided without any warranty/guarantee (“as is”). Feel free to let us know your feedback! We are happy to apply healthy critique to this guide!


There are several steps to complete a prysm-only (standalone) Ethereum 2.0 staking setup for Pyrmont testnet. This guide uses ethereum2-docker-compose to orchestrate the services. Some (not all) software used in this particular guide:

Hardware recommendations

Following hardware specifications are recommended to run the Prysm client on testnet while a mainnet required higher specifications than testnet.

  • CPU: 4 vCPUs or higher
  • Memory: 8gb or higher
  • Storage: 100gb available space SSD for testnet (in this guide Pyrmont)
  • Internet: Stable broadband connection


This guide is for the Pyrmont testnet.

Guide’s steps

In unison, we’ll go through the following steps to achieve staking with the prysm client:

  1. Connect & Prepare the server
  2. Prepare the validator(s)
  3. Prepare ethereum2-docker-compose
  4. Run ethereum2-docker-compose and staking ether

Here’s a checklist to ensure you start with the needed resources and skills, before we move on to step 1

Let’s get started!

Step 1 – Prepare Server

1.1 Connect to the Server

Using a SSH client, connect to your ubuntu server. In this guide putty installed on windows OS will be used to connect to ubuntu server. Obviously, you can use another SSH client tool installed on various operating system.  

If you don’t already use putty, download it and follow the installation guide. After successfully installation navigate to the directory where you have installed the application and run the .exe file:

Connection to the server with Putty

Put your server IP-address in Host Name (or IP Address) bar and give your session name in Saved session bar then click Save to save the configuration for next time to connect to your server.

Click Open then put your user name and password in terminal to log in to your server. That’s it, you are in!

Next time you can choose your session from Saved session bar, then click Open to connect to your server.

1.2 Change your authentication method from password to key (optional – SSH only)

Passwords are somewhat easy to guess or bruteforce, ensuring you are using authentication by key when you access your node via SSH is therefore a recommended and easy way to enhance security of your server. However, this is not mandatory if you either don’t expose the SSH port to the internet or don’t use SSH at all (e. g. having physical access only).

Generate SSH authentication keys

Execute puttygen.exe which is already installed previously with putty.


Now let’s generate a key pair by clicking on Generate button and move your mouse on the “PuTTY Key Generator” window until the progress bar is full.

generating key

After successful creation of your SSH key, save the public key as well as the private key

Keep the private key safe, don’t expose it to other users or unsafe storage (unencrypted usb stick). Also copy the text in the locked textbox (usually starts with ssh-rsa...) and safe it too. Now you can close the application

generated key

Connect to your server with your regular user, edit the file ~/.ssh/authorized_keys by executing nano ~/.ssh/authorized_keys and add the text you copied previously in a new line, looking like this:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAxdmaA0w//jS56ZpX+Oxv7pmq58+PrKGYAoKeXm3Z5wdw/MrdFwdNf3rKVyv6GX0RXt2xLhqoPlxrW9YRjwsRIYUTh/XQN7/i/kYewtb/hoJZ2I0U2YbutpqBPdSuMbJZY5lSTx2IH/0AOLG2K4w3W+SYhX4pDuAABzzdBg+W+pmI5nJBdk1YheLKYJVtab1VWK0pX8QfdDDo7qwCoSRlFDOzoNNvvTUVvXmRe+Qy6Sr8WT9LN2d/BDm95DzXzXWzs7SsEKP6MbXCpAp25zBzV3Z+Ltu9uws798IE5/kwQtTTe6geC/g6m15TW8nakgX1Yjff6C1P1P89dTsrfUyhdQ== rsa-key-20201118

Exit and save the file <Ctrl+X> and execute following command to make this file only accessible by your user

chmod 600 ~/.ssh/authorized_keys

Use SSH authentication keys


After that try to connect to your server using putty with key authentication. Use the setting Private key file for authentication and Browse... your previously generated and saved private key file. Don’t forget to enter an IP in the Session and click Open

Putty will ask you for your username – as usual – after you enter your username you should immediately login without the need of entering a password.

Private key for authentication

SSH command

If you don’t want to use putty but instead the SSH command of Windows 10, create a directory in your home folder with the name .ssh and copy your private key there, don’t forget to rename the private key file to id_rsa. This also works on linux and mac.

Disable password authentication for SSH

We already managed to login via keys. Now we can disable password authentication for SSH. To do this, run the following command to edit the necessary file

sudo nano /etc/ssh/sshd_config

Then edit the following lines as below:

  • Uncomment (remove the # in front of the line): PubkeyAuthentication yes
  • Find the line with “PasswordAuthentication” and change it to: PasswordAuthentication no

Exit and save the config file <Ctrl+X> and restart SSH by entering:

sudo systemctl restart sshd

Check it out by reconnecting your SSH session!

1.3 Create new user

By default the root user account on Ubuntu server is disabled, however it’s enabled by some cloud providers. It is risky to utilize the root user account to log in to the server. If the root user is utilized to log in then create a new user-level account with admin privileges instead using the root user to log in to your server.

Let’s create a new user-level account on ubuntu server as following

adduser <your-username>

You will be asked to create a password and some other information. At the end of the account creation process write “y” or “Y” to confirm that you filled out correctly.

a new user-level account on ubuntu

That’s it! we’ve just created new user on your ubuntu server! Next we going to give the admin rights to the new user.

In order to give grant admin rights to the new user-level account execute following

usermod -aG sudo <your-username>

When you log in as <your-username> you can type sudo before execute the commands to perform actions with superuser privileges


If you used SSH keys to connect to your ubuntu server via the root user you will need to associate the new user with the root user’s SSH key data executing following command

rsync --archive --chown=<yourusername>:<your-username> ~/.ssh /home/<your-username>

Then log out of root and log in as <your-username>. Now you can proceed further with your new user account. Congratulation!

1.4 Keep your Ubuntu up-to-date!

Most security vulnerabilities get fixed fast by the maintainers, therefore it`s important to keep your Ubuntu server updated by running:

sudo apt update && sudo apt upgrade -y

It’s not recommended to do this automatically because there are updates which need guidance in the update process (e. g. which config file to take, etc.)

However, running an update once a week isn’t much work and keeps your system safe and stable

1.5 Configure the firewall

Commonly used firewall is named “ufw“.  It’s used to restrict inbound traffic to the server. Before we enable it, SSH inbound traffic should be allowed

Allow SSH

Allows connection to the server over SSH. We are going to change the default port of 22 for security reasons as following

Choose a port number between 1024–49151 and run the following command to make sure your selection is not already in use on the server. If your chosen port number is in use you will get red text, then choose a different port number

sudo ss -tulpn | grep ':<your-SSH-port-number>'

Update the firewall to allow inbound traffic on <your-SSH-port-number>. SSH requires TCP

sudo ufw allow <your-SSH-port-number>/tcp

Next change the default SSH port

sudo nano /etc/ssh/sshd_config

Find the line with # Port 22 and change it to Port <your-port-number>. Remove the # in front of the line if it was present.

changing SSH port

Exit and save the config file <Ctrl+X> and restart SSH by following command

sudo systemctl restart ssh

and check to verify the rules have been correctly configured. In this guide port number 1234 is utilized as SSH port.

sudo ufw status numbered
ufw status

Then reconnect with your server using <your-port-number> instead SSH default port 22. Select your saved session from previous step and put your chosen SSH port number in <your-port-number>. Using putty should looks like this

putty using custom port number

1.6 Installing necessary packages

System packages

Start by installing the necessary packages with apt

sudo apt install git apt-transport-https ca-certificates curl software-properties-common python3-pip python3-docker virtualenv python3-setuptools gnupg2 pass net-tools

This installs following

  • git (source control to download ethereum2-docker-compose)
  • python3 + tooling
  • various other tooling

Docker & Docker-compose

Next, docker & docker-compose will be installed and we need both to run ethereum2-docker-compose

  • docker: open source containerization platform
  • docker-compose: defining and running multi-container docker applications

Run the following commands to install the necessary packages (some of them will be downloaded from the docker repository rather than Ubuntu’s main repositories)

curl -fsSL | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] $(lsb_release -cs) stable"
sudo apt update && sudo apt install docker-ce docker-compose

Last but not least, your user needs the privilege to run docker (replace <your-username> with your regular user name)

sudo usermod -aG docker <your-username>

Verify install

After successful installation let’s try to get the version of docker by following command

sudo docker version

and you should see something like this

Docker version

That’s all! We’ve just finished the installation of necessary packages which will be utilized to run ethereum2-docker-compose

Step 2 – Prepare Validator

Firstly we need to sign up validator account(s) to run validator(s) on the Ethereum 2.0 Pyrmont testnet

To sign up we will go through following steps:

  • Get goerli Ether (ETH) for testnet
  • Generate the validator key(s)
  • Stock the validator account(s)
  • Check validator’s status

2.1 Get goerli Ether (ETH)

Open your favorite browser, in this guide we will use “Google Chrome” and navigate to “More tools -> Extensions” then click “Chrome Web Store

chrome web store

Search “Metamask” in search bar and click on it

metamask extension

on the next window click on “Add to Chrome” then “Add Extension”. It will take few seconds

add metamask to google chrome

Now metamask extension is intalled on your browser. Next click on “Metamask” icon then “Get started” to sign up

metamask get started

Choose “Create a Wallet” option since we want to create a new wallet for Göerli Ethereum (ETH).

Obviously you can choose “Import wallet” option to import existing wallet using 12 word seed phrase

create a wallet

You will be asked to create password. Put your metamask wallet password and click on “Create”. On the next window read “Tips” before you save “Secret backup phrase” then click “Next”

metamask backup phrase

Next window you have to put your backup phrase to to make sure it is saved correctly.

confirm backup phrase

If you did everything right then you should see “Congratulations”!


Congratulation:)! Your Metamask wallet is now on your web browser and it is ready to use!

Afterwards log in to your wallet and using the drop-down at the top, select the “Goerli Test Network”

Goerli test Network

Then click on “Account” to copy your “Göerli Test Network” wallet address

copy wallet addres

You can get Göerli ETH from the #request-goerli-eth channel on the ethstaker Discord using your wallet address: !goerliEth <your-wallet-address>

get goerli from ethstaker Discord

32 ETH + gas fee deposit is required for each validator. Every 6 hours you can get 32 ETH from #request-goerli-eth channel on the ethstaker Discord

2.2 Generate validator keys

The validator client supports multiple validator keys. Each validator key is basically a “validator account” on the Pyrmont testnet. We will generate the validator keys using Eth2 launch pad for pyrmont testnet. Go here and click “GET STARTED”

pyrmont launchpad

go through the warning steps and click “continue” bottom of the page

pyrmont lauchpad warnings

on the next page select “Geth”, we will use geth as Eth1 client and click “Continue”

select “Prysm”, we will use prysm as Eth2 client and click “Continue”

next put your validator number and choose your OS on which the validator(s) key will be generated. In this guide we will use Windows as OS and number of validator is 2

number of validator and OS

then select “Download CLI app” and click “Download from Github”

download CLI app from github

In the assets section download “Latest release” of the deposit CLI app for windows

download eth2deposit-cli

Extract the where you want and navigate to deposit.exe then copy the path of deposit.exe

Open windows command prompt (cmd) to execute deposit.exe. Navigate to deposit.exe using windows command prompt like shown below

navigate to deposit.exe using CMD

Then execute following command to generate validator key(s). The --num-validator is the number of validator(s) you want to generate

generate validator key(s)

Choose mnemonic language and type your chosen language. In this guide English is chosen as mnemonic language then press <Enter>

Type validator keystore(s) password and repeat it then press <Enter>

validator keystore(s) password

After that you will see like this

validator keystore(s) seed phrase

Write it down and save it. Next you have to type your mnemonic to confirm that you’ve written it down, then press <Enter>

confirm mnemonic

After you’ve written mnemonic correctly, you should see something like this

generate validator keystore(s)

The newly created validator keys and deposit data file are at the specified location. See above!

The deposit_data-123….json file contains the public keys for the validators and information about the deposit. This file will be used to complete the deposit process in the next step.

The keystore-m_123...json files contain the encrypted signing key. There is one keystore-m per validator. These will be used to create the client validator wallet

go back to the web browser, scroll down to bottom of the page then click “Continue”

Since the validator keystore(s) are generated on the windows machine, we have to transfer them into ubuntu server.

From the windows machine, right-click on the network connections icon in the right bottom of the taskbar

network connection icon

Choose “Open Network & Internet settings”

open network & internet settings

Next choose “Sharing options”

sharing options

Now from your current network profile, choose the following options then press “Save changes”

current network profile

Open your file explorer and go to the validator key(s) directory then right-click on the folder and select “Properties”

open properties

After openning the folder properties, let’s choose the “Sharing” tab and select “Advanced Sharing”

open advanced sharing

Mark “Share this folder” then press “Apply” and press “OK” to continue

share this folder

Open windows command prompt and execute following

scp transfer

Only keystore-m_123...json files needed to be transferred to the server, not a deposit_data-123….json file. Now your validator keystores are on the server and they will be imported in next step

2.3 Stock the validator account(s)

This step involves depositing the required amount of Göerli ETH to the Pyrmont testnet staking contract.

You will be asked to upload the deposit_data-123….json which is generated previously. Browse or drag the file and click “Continue”

upload deposit file

Choose Metamask, since we use it for this guide then click “Continue”. Obviously you can use another wallet if you already have

choose wallet

Your MetaMask balance will be displayed. The site will allow you to continue if you have sufficient Goerli ETH balance

wallet balance

A summary shows the number of validators and total amount of Goerli ETH required. Check the warnings if you agree then click “Continue”


Click on “Initiate all Transactions”


This will pop open multiple instances of MetaMask, each with a 32 Göerli ETH transaction request to the Pyrmont testnet deposit contract. Click “Confirm” for each transaction.

After click on “Confirm” for each transaction you should get status “Transaction Successful” then click “Continue”

transaction status

You will get complete check list, go through this list, make sure you’ve done everything correct!


Done! We’ve prepared validator(s)!

2.4 Check validator’s status

Newly added validators can take a while (hours to days) to activate. You can check the status of your keys here. Put your Goerli Test Network wallet address in search bar then your keys will be shown as below

validator status

Step 3 – Prepare ethereum2-docker-compose

3.1 Clone repository

The next steps will guide you to install ethereum2-docker-compose in /opt. If you don’t feel comfortable with the path feel free to replace it with any path you might deem more appropriate.

Change directory by running

cd /opt

That was easy, right? Now a bit more heavy stuff

  • download (in git terms “clone”) the repository
  • change ownership of repository, replace <your-user> with your regular username
  • give execution permission to scripts
sudo git clone
sudo chown -R <your-user>:<your-user> ethereum2-docker-compose

3.2 Setup prysm-only docker-compose

Go to your new Ethereum 2 node and have a look

cd /opt/ethereum2-docker-compose

You see a couple of files and directories:

compose-examplesCollection of pre-defined docker-compose.yaml and docker-compose.override.yaml files
configConfig files for all services defined in docker-compose
dataPersistant data of containers
launchpadIf you want to import a launchpad wallet, drop your launchpad validator_keys here
walletsSensitive data! This contains the wallets with the accounts for staking
.envSettings for running docker-compose files (e. g. versions of docker images)
edc-*Small scripts to manage docker-compose
Overview of the structure of ethereum2-docker-compose

Minimal Setup (beacon & validator only)

In case you want to run only beacon & validator (geth, slasher, prometheus, grafana get disabled) move the ./compose-examples/prysm-only/override-examples/docker-compose.beacon-validator.override.yaml file in the same folder as your docker-compose.yaml and rename it to docker-compose.override.yaml. Read up on docker-compose files & override to customize your setup further.

Configure your node (optional)

Configuration files are located in the folder ./config. To gain a better connectivity for your beacon node you should specify your public ip and/or your dns name in ./config/prysm/beacon.yaml. Follow the guide Improve Peer-to-Peer Connectivity.

Validator accounts with launchpad

The necessary directories need to be created. Please create the directories ./data/prysm/validator/wallets.

Then put your wallet password in ./data/prysm/validator/passwords/wallet-password using following command

nano ./data/prysm/validator/passwords/wallet-password

Replace your wallet password here: <my-wallet-password>

wallet password

Wallet password will be utilized to import your validator account(s). Exit and save the file <Ctrl+X>

After that copy the related files ./compose-examples/prysm-only/docker-compose.yaml and compose-examples/prysm-only/create-account.yam to the project’s root directory ~/ethereum2-docker-compose using following command

cp compose-examples/prysm-only/docker-compose.yaml docker-compose.yaml
cp compose-examples/prysm-only/create-account.yaml create-account.yaml

We going to run prysm-only from project’s root directory. The docker-compose.yaml contains the service definitions with networking, storage, etc. while create-account.yaml contains configuration to import validator accounts into beacon node.

Next copy your generated validator keystore(s) from previous step  ~/keystore-m_123...json to ./launchpad/eth2.0-deposit-cli/validator_keys. The validators will be imported from there./launchpad/eth2.0-deposit-cli/validator_keys. Use following commands to create ./launchpad/eth2.0-deposit-cli/validator_keys directory

cd /opt/ethereum2-docker-compose
sudo mkdir -p ./launchpad/eth2.0-deposit-cli/validator_keys

A. Go back to the home directory where your validator keystore(s) files are stored from previous step then copy keystore-m_123...json files into ./launchpad/eth2.0-deposit-cli/validator_keys directory.

cd ~
sudo cp keystore-m_123...json ./launchpad/eth2.0-deposit-cli/validator_keys

B. The last thing we have to do before running ethereum2-docker-compose is execute following command to import your validator accounts

docker-compose -f create-account.yaml run validator-import-launchpad

You will be asked to accept terms and conditions, read it here then type “accept” to continue importing validators

accept term and conditions

and put the same password as in the generation of the validator(s) (see above step 2.2)

validator password

You can repeat step A & B as often as you like, make sure to restart your validator to make it notice your new accounts!

That’s all! The validators are imported into beacon node. Now we are ready to run ethereum2-docker-compose and staking ether.

Let’s go to the last step & run it as STAKER!

Step 4 – Run ethereum2-docker-compose and staking ether

Start it up

Run with (as deamon with “-d”)

docker-compose up -d

or run only certain services (in this case only beacon and validator)

docker-compose up -d beacon validator

Stop it

Stop services (or everything) like this

docker-compose stop validator slasher

Shut it down for good

Shut down your services (or everything) like this

docker-compose down

Please note: This will also erase your logs, they are stored with your containers and will be deleted as well


Docker takes care of log files and log file rotation as well as limit (set to 10x100mb log files for each service). View logs of a certain service

At first geth needs to catch up, this might take a while. You can check on geth with

docker-compose logs --tail=100 geth

You can do the same with all other services to check how it’s going

docker-compose logs --tail=100 beacon
docker-compose logs --tail=100 validator
docker-compose logs --tail=100 prometheus
docker-compose logs --tail=100 slasher
docker-compose logs --tail=100 grafana

For a complete list and a status of services run

docker-compose ps



Prometheus is running on port 3000 and only accessible via localhost. Therefore SSH tunnel need to be opened, following SSH command will open necessary port for Prometheus

ssh -L 9090:localhost:9090 <user>@<your-server-ip-or-dns>

or if you are using Putty then it should looks like this

putty SSH tunnel for prometheus

To access prometheus, open your favorite web browser and visit http://localhost:9090. You can type or choose some “Expression” then click on <Execute> button to get response! Use “Graph” tab to get response with illustrations



Do you want to see some basic metrics? No problem! Grafana is running on port 3000 but only accessible via localhost too. This means you need to open a SSH tunnel. When working with ssh command use following

ssh -L 3000:localhost:3000 <user>@<your-server-ip-or-dns>

For putty, use this setting and click on “Add”, then start your session normally (don’t forget to save)

putty SSH tunnel for grafana

Now open a browser and access http://localhost:3000 and use “admin” for username and password. You might want to enter a new more secure password after this, then click on the left menu on “Dashboard” -> “Manage” and click on an existing dashboard


Often times grafana doesn’t start due to permission issues, we’ll resolve this by using your user to run the grafana container. First, find out your user id:

id -u

Remember or write down this number and edit the docker-compose.yaml:

nano docker-compose.yaml

Now edit the service “grafana” and add “user: …” to it, so it looks something like this (replace “<your-user-id>” with the number you got above):

add user id

Prysm Web Interface

In order to utilize “Prysm Web Interface” you also need to open a SSH tunnel, as following SSH command

ssh -L 7500:localhost:7500 <user>@<your-server-ip-or-dns>
ssh -L 3500:localhost:3500 <user>@<your-server-ip-or-dns>

Or for putty, use this setting and click on add, then start your session normally (don’t forget to save)

putty SSH tunnel for prysm web interface

Next open your favorite web browser and visit http://localhost:7500 then put your “Prysm Web Interface” password to log in

prysm web interface login page

If it’s first time then choose “Imported Wallet“ option to import your validator keystore_m...json file generated from the eth2.0-deposit-cli in “step 2.2”. Then follow the steps and set your STRONG! enough “Prysm Web Interface” password (Note: Web interface password is different from wallet password also validator key’s password).

That’s all! Now you can monitor your beacon node, validator logs and more…

prysm web interface

Thanks for using ethereum2-docker-compose!

Enjoy staking!

Staking Ether on Prysm client with our Docker Composer
Scroll to top